4. Suricata fails to start

Suricata fails to start

  • S

    Here is the raw output from suricata.log:
    –------------------------------------------------

    24/12/2017 -- 01:33:39 - <notice>-- This is Suricata version 4.0.1 RELEASE
    24/12/2017 -- 01:33:39 - <info>-- CPUs/cores online: 8
    24/12/2017 -- 01:33:39 - <info>-- HTTP memcap: 67108864
    24/12/2017 -- 01:33:39 - <notice>-- using flow hash instead of active packets
    24/12/2017 -- 01:33:47 - <info>-- 2 rule files processed. 9690 rules successfully loaded, 0 rules failed
    24/12/2017 -- 01:33:47 - <info>-- Threshold config parsed: 0 rule(s) found
    24/12/2017 -- 01:33:47 - <info>-- 9690 signatures processed. 382 are IP-only rules, 3861 are inspecting packet payload, 6427 inspect application layer, 102 are decoder event only
    24/12/2017 -- 01:33:57 - <info>-- fast output device (regular) initialized: alerts.log
    24/12/2017 -- 01:33:57 - <info>-- http-log output device (regular) initialized: http.log
    24/12/2017 -- 01:33:57 - <info>-- tls-log output device (regular) initialized: tls.log
    24/12/2017 -- 01:33:57 - <info>-- stats output device (regular) initialized: stats.log
    24/12/2017 -- 01:33:57 - <info>-- dns-log output device (regular) initialized: dns.log
    24/12/2017 -- 01:33:57 - <info>-- dns-log output device (regular) initialized: dns.log
    24/12/2017 -- 01:33:57 - <info>-- Using 1 live device(s).
    24/12/2017 -- 01:33:57 - <info>-- using interface bce1
    24/12/2017 -- 01:33:57 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
    24/12/2017 -- 01:33:57 - <info>-- Found an MTU of 1500 for 'bce1'
    24/12/2017 -- 01:33:57 - <info>-- Set snaplen to 1524 for 'bce1'
    24/12/2017 -- 01:33:57 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    24/12/2017 – 01:33:57 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed
    24/12/2017 – 01:33:57 - <error>-- [ERRCODE: SC_ERR_MEM_ALLOC(1)] - failed to setup/expand stream session pool. Expand stream.memcap?
    24/12/2017 – 01:33:57 - <info>-- RunModeIdsPcapAutoFp initialised
    24/12/2017 -- 01:33:57 - <error>-- [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#08" failed to initialize: flags 0145
    24/12/2017 – 01:33:57 - <error>-- [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting…</error></error></info></error></error></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice></info></info></notice>

    0
  • N

    Increase the memory for the Stream Memory Cap

    0

  • You have an eight-core CPU, so as @ntct says, increase the Stream Memcap value on the FLOW/STREAM tab to at least 256 MB and try to start again.  Keep increasing the value in 4 MB or 8 MB chunks until Suricata starts.  You can then try backing it down if you wish until it breaks, then bump it up slightly.  Some changes in the Suricata binary in a recent revision caused an increase in needed stream memory when using high core-count CPUs.  The old default of 32 MB is too low.

    Bill

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy